unless this IP is fixed & pre-known, I am not aware of PORTS capable of counting of SYN_RECV grouped by SRCIP, as in "select count(*) from TCPstateTable where state="SYN_RECV" and dstTuple="<a href="http://151.8.36.12:80">
151.8.36.12:80</a>" group by SRCIP". <br>Currently I use PORTS to generate alerts and track total counts of TIME_WAIT for a database server's TCP service.<br><br><div><span class="gmail_quote">On 9/26/06, <b class="gmail_sendername">
Roberto Tagliaferri</b> <<a href="mailto:r.tagliaferri@tosnet.it">r.tagliaferri@tosnet.it</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Is there a way to monitor the number of simultaneous open port from the<br>same ip?<br>I need to alert when an (stupid...) attacker send a thing like this<br><br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80
</a> <a href="http://206.225.82.32:9654">206.225.82.32:9654</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:63256">206.225.82.32:63256
</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:11611">206.225.82.32:11611</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">
151.8.36.12:80</a> <a href="http://206.225.82.32:55544">206.225.82.32:55544</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:55045">
206.225.82.32:55045</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:949">206.225.82.32:949</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">
151.8.36.12:80</a> <a href="http://206.225.82.32:19880">206.225.82.32:19880</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:13331">
206.225.82.32:13331</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:31280">206.225.82.32:31280</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">
151.8.36.12:80</a> <a href="http://206.225.82.32:44500">206.225.82.32:44500</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:11909">
206.225.82.32:11909</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:58313">206.225.82.32:58313</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">
151.8.36.12:80</a> <a href="http://206.225.82.32:47932">206.225.82.32:47932</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:15468">
206.225.82.32:15468</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:2060">206.225.82.32:2060</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">
151.8.36.12:80</a> <a href="http://206.225.82.32:56875">206.225.82.32:56875</a><br>SYN_RECV<br>tcp 0 0 <a href="http://151.8.36.12:80">151.8.36.12:80</a> <a href="http://206.225.82.32:45630">
206.225.82.32:45630</a><br>SYN_RECV<br><br><br>--<br>Roberto Tagliaferri<br>Responsabile Progettazione & Produzione<br>TosNet s.r.l. - Internet Service Provider<br><a href="mailto:r.tagliaferri@tosnet.it">r.tagliaferri@tosnet.it
</a><br><a href="http://www.tosnet.it">www.tosnet.it</a><br><br><br>To unsubscribe from the hobbit list, send an e-mail to<br><a href="mailto:hobbit-unsubscribe@hswn.dk">hobbit-unsubscribe@hswn.dk</a><br><br><br></blockquote>
</div><br>